[Solved] Can't route LAN traffic through VPN

Hello and thanks in advance for your time.

I am struggling with routing all LAN & WiFi traffic through VPN. My setup is pretty simple: an x86 machine with

OpenWrt 23.05.0-rc3 r23389-5deed175a5 / LuCI openwrt-23.05 branch git-23.219.80063-bece581
openvpn-openssl 2.5.8-3

installed.

The traffic originating from the router itself is routed through VPN, but not the WiFi traffic. I have read similar topics and tried to implement a lot of configuration, but I am failing to do so.

So, on this desperate note, I am asking for help. Check the provided configuration and if anything is missing, please let me know:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfd:48d1:a82b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option force_link '1'

config interface 'vpn'
        option proto 'dhcp'
        option device 'tun0'
        option hostname '*'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option family 'ipv4'
        list network 'lan'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option family 'ipv4'
        list network 'vpn'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:02.5/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country '**'
        option distance '20'
        option beacon_int '211'
        option txpower '18'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid '*********'
        option encryption 'psk2+ccmp'
        option key '********'
        option dtim_period '29'
        option network 'lan'
        option short_preamble '0'
        option skip_inactivity_poll '1'
        option wpa_disable_eapol_key_retries '1'

OpenVPN configuration

client
dev tun0
proto udp
remote ********* 1194
resolv-retry infinite
remote-random
nobind
redirect-gateway def1
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 60
reneg-sec 0
comp-lzo no
verify-x509-name CN=***********
auth-nocache
mute-replay-warnings
remote-cert-tls server

pull-filter ignore 'ifconfig-ipv6'
pull-filter ignore 'route-ipv6'

ca '/etc/openvpn/ca.crt'
auth-user-pass '/etc/openvpn/credentials'
verb 6
fast-io
cipher AES-256-CBC
auth SHA512
key-direction 1
tls-auth '/etc/openvpn/ta.key' 1

script-security 2
route-delay 5

Thanks in advance once again.

Start with correcting that it should be:

      option proto 'none'
      option device 'tun0'

Reboot afterwards

Probably not the culprit but I will look further into it

In the mean time can you show output of
ip ro
ip ru

Done with the correction & rebooted, still the same result.

ip ro

0.0.0.0/1 via 10.8.0.1 dev tun0
default via 10.0.1.1 dev br-lan proto static src 10.0.1.3
10.0.1.0/29 dev br-lan proto kernel scope link src 10.0.1.3
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.5
128.0.0.0/1 via 10.8.0.1 dev tun0
178.132.104.180 via 10.0.1.1 dev br-lan

ip ru

0:      from all lookup local
1:      from all iif br-lan lookup 100
32766:  from all lookup main
32767:  from all lookup default

It looks like you are using a form of Policy Based routing?

Furthermore this router looks like to be setup as a Wireless Access Point.

All your LAN clients will simply bypass this router unless their gateway is specifically pointed to this router.

This was a leftover from some previous configuration (trial & error). I have removed everything related and rebooted.

ip ro

0.0.0.0/1 via 10.8.3.1 dev tun0
default via 10.0.1.1 dev br-lan proto static src 10.0.1.3
10.0.1.0/29 dev br-lan proto kernel scope link src 10.0.1.3
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.2
128.0.0.0/1 via 10.8.3.1 dev tun0
178.132.104.180 via 10.0.1.1 dev br-lan

ip ru

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Still the same result.

Furthermore this router looks like to be setup as a Wireless Access Point.

There is no WAN interface, only LAN. Another router (ONT) is doing DHCP (this will be changed in the future) and acts as the gateway.

My initial goal is to check the maximum speed this x86 machine can provide through VPN and since there is one single LAN port (this will be changed in the future as well), I can conduct these tests only through WiFi.

Yes of course, this is setup as a Wireless Access Point (WAP) / dumb switch.

All traffic will bypass your VPN client.

you can set the gateway of your clients pointing to this WAP, or you can setup DNSMasq of your main router to hand out that gateway to all clients or with the help of tagging only to some clients

On the main router you can do that with:

uci add_list dhcp.lan.dhcp_option="3,192.168.1.2"
uci commit dhcp
/etc/init.d/dnsmasq restart

option 3 is the gateway setting, I just used 192.168.1.2 as the address of the WAP, you might want to set a static IP on the WAP or make a static lease on the main router for the WAP

see: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration

Alternatively set the gateway on the individual clients

That was it. I feel so dumb (as the AP). I've set up manually the gateway on the wireless client and it worked as expected.
Thank you for time and effort!

Glad I could be of assistance :slight_smile:

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.